my personal blog about systemcenter

All posts in NoVPN

Testing ScaleFT BeyondCorp Secure Remote Access without a VPN

Categories: BeyondCorp, NoVPN, ScaleFT, Security
Comments Off on Testing ScaleFT BeyondCorp Secure Remote Access without a VPN

Testing ScaleFT access from admin workstation to remote server through remote desktop protocol but without VPN or Remote Desktop Gateway

ScaleFT creates a BeyondCorp secure style access to internal resources without publishing them over VPN or direct connection from the internet

This setup will cover a basic integration between one pc and one server, ScaleFT provides a free version for personal use for up to 5 servers, so this is a large step forward in providing secure access to your resources

Signup at https://www.scaleft.com/ , and there is excellent documentation in place and instant trial access

This is my first go at a BeyondCorp install and so far its looks very good

This is a simple test without the full security integration so no AzureAD or Okta , room for more improvements

Overall process

1 , Register Trial

2 , Setup Client

3 , Create Project

4 , Add Server to Project

5 , Add Permission to Project

6 , Use Secure BeyondCorp access to your internal resources

Protocol available Web Applications, Remote Desktop and SSH

And the Step by Step

clip_image002

Logging in to the interface there is no clients for now

Adding a client is as simple as downloading and running

sft enroll –team “tenant name”

clip_image004

ScaleFT does not require local admin rights to function on the machine where access is started form

clip_image006

Adding the client to the team require authentication , from the initial testing with Edge I saw some issues that needs a bit of time to repro , but running with chrome works

clip_image008

And we can now see my pc in the portal

clip_image010

To Enroll a Server we need to create a project

clip_image012

clip_image014

And then we can go to enrollment tokens to create a token for server to enroll

clip_image016

Setup token name and save the token

On the server we can install the scaleFT server side tools with powershell

PS C:\ScaleFT> Import-Module .\Install.psm1

PS C:\ScaleFT> Install-ScaleFTServerTools -EnrollmentToken

Downloading https://dist.scaleft.com/server-tools/windows/latest/ScaleFT-Server-Tool

C:\Users\Administrator\AppData\Local\Temp\2\tmp1AC.msi is signed by ScaleFT

Starting msiexec on C:\Users\Administrator\AppData\Local\Temp\2\tmp1AC.msi

MSI Log path: C:\Users\Administrator\AppData\Local\Temp\2\tmp1AC.log

Removing C:\Users\Administrator\AppData\Local\Temp\2\tmp1AC.msi

Starting Service scaleft-server-tools

True

clip_image018

clip_image020

And 2 minutes later we have it installed (on my slow connection)

clip_image022

And we now have a server to access

clip_image024

As we deal with zero trust we need to create a group that gives access

clip_image026

Groups can give either local admin or local user permissions, for this test we will use Admin

clip_image028

Back to my client and run sft list-servers

clip_image030

Getting prompted for access to ScaleFT and allowing access

clip_image032

I can now see my server

clip_image034

And we try to login

clip_image036

And in this environment we have locked down NTLM , and ScaleFT proxy through local host so we need to allow that

clip_image038

And adding local host to NTLM exceptions

clip_image040

And we can now logon through our tunnel.

clip_image042

And when we are done working we can issue a sft logout

clip_image044

And we have a full audit history

clip_image046

Can you tell if a PC remoted in from a unencrypted machine in your environment ?

So, what does ScaleFT do on our Windows Box to create access and users

After initial authentication we can see ScaleFT creating the admindemo user (that is my ScaleFT user) , adding it to local admin and terminal server users)

time=”2018-07-17T14:13:27+02:00″ level=info msg=”osedit: applying change to system” description=”Creating local user ‘admindemo’ based on user:’1d55549f-d4c9-7adc-2463-3b3414354e7c'” goal=user_create

time=”2018-07-17T14:13:27+02:00″ level=info msg=”osedit: applying change to system” description=”Adding local user ‘admindemo’ to local group ‘Administrators’ based on group:’BUILTIN-A3FC-7CF8FAD6C251′” goal=group_member_add

time=”2018-07-17T14:13:27+02:00″ level=info msg=”osedit: applying change to system” description=”Adding local user ‘admindemo’ to local group ‘Remote Desktop Users’ based on group:’BUILTIN–B750-50F1D33462FE'” goal=group_member_add

clip_image048

ScaleFT cycles password at each logon so a test from here shows

* Username : WIN-GNM5AES6691\admindemo

* Domain : TERMSRV/127.0.0.1

* Password : C1Vi5JqadyEZjW%HuskZcWM3cI3JkXOPDx#JApF3HvgB#%ZxpMZ3D4wBKPGdcT4n

And after next logon

* Username : WIN-GNM5AES6691\admindemo

* Domain : TERMSRV/127.0.0.1

* Password : i7GYIDBh%[email protected]

So that looks good